Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 03-20-2013 13:59

    Hi, I have a situation that I don't see how I can achieve the connectivity:

     

    SSG320 has a ZONE called PROVIDER which hosts a business application for us in remote data centers, we have access policy between PROVIDER and internal TRUST zone to allow only certain traffic to come into our internal network, for the sake of discussion, PROVIDER side network is 192.168.1.0/24, our interal TRUST zone side network is 10.1.0/16, now have to establish a policy-based IPsec tunnel to one of our contractors, so the contractors can access PROVIDER's network through our network, contractor side network is 172.16.1.0/24, I assume I have to configure policy-based IPsec tunnel to our contractor this way:

    policy from zone PROVIDER to Untrust, source 192.168.1.0/24, destination 172.16.1.0/24, action: tunnel, tunnel:VPN-to-Contractor.

     

    Problem is PROVIDER has no idea about 172.16.1.0/24 network, so I will have to let provider to send traffic to 10.1.16.0/24 which is a network PROVIDER knows how to route to us. When SSG320 receives such traffic, SSG320 will destination NAT the traffic to 172.16.1.0/24 and send the traffic to contractor over VPN, question: where do I configure this policy NAT? from PROVIDER to TRUST? even TRUST zone is not involved in the connection? where do I configure the policy for contractor to access 192.168.1.0? from Untrust->PROVIDER? that won't work because I will need to source NAT this traffic to one of our networks which PROVIDER knows, or should I configure policy based VPN from zone TRUST to zone Untrust?

     

    Not sure I made myself clear, any feedback is appreciated.



  • 2.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 03-20-2013 19:41

    Hi,

     

    I dont think policy based VPN will help.
    You can try route based VPN as it gives you more control on routing and NAT.
    In route based VPN you can have a tunnel interface for routing and can also do NAT on it.

    However, before getting into it, you need to decide on how will firewall decide if certain traffic from Provider will have to be forwarded to contractor.
    Will the traffic from provider to contractor come with destination IP of 172.x.x.x
    If yes then we can have tunnel interface as the next hop for destination 172.x network

     

    Thanks.
    Hardeep

     



  • 3.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 03-20-2013 21:12

    Hi,

     

    Thank you so much for your response, the reason I thought about policy-based VPN is because contractor side firewall is SonicWall, I am not sure route-based VPN will interop with Sonicwall at all. Regarding your 2nd question, as I mentioned in the post, contractor side network will apear as 10.1.16.0/24, when our side netscreen receives the traffic from PROVIDER zone, I will destination NAT the traffic to 172.16.1.0/24. What other options do I have?

     

    If I ask PROVIDER to directly route 172.16.1.0/24 traffic so I don't have to worry NAT on my side, I am still not sure where I should configure the policy-based VPN, from TRUST to Untrust, or from PROVIDER to Untrust? if the former, can I actually have source network belong to PRODIVER zone?



  • 4.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 03-21-2013 06:04

    Hi,

     

    Route based can work well with any vendor, only need to make sure that proxy-id is appropriately configured.

    For the NAT, sorry I somehow missed out reading about 10.1 network.
    In this case you can have MIP on the interface facing the Provider.
    This MIP will NAT the 10.1.x traffic to the Contractor network.

    Policy will be from Provider to Contractor, source: Provider, MIP(10.1.x)
    A route entry will be required so that the Provider network is routed over VPN tunnel interface.

    Flow of traffic is as follows.
    1. Traffic from provider network with destination 10.1.x hits the Provider facing interface.
    2. MIP on this interface NATs the destination IP to the contractor subnet.
    3. The route will push all this traffic to tunnel interface and then to contractor subnet over the VPN.

    Hope this helps.

     

    Thanks.
    Hardeep



  • 5.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 03-25-2013 12:00

    Hi, Hardeep,


    The provider actually has two networks for us, one for staging and the other one for production, with route-based VPN to the contractor and default proxy-id, phase2 won't come up, because this does not match contractor side SAs, I am trying

     

    set vpn "to-contractor" proxy-id local-ip <staging_network> remote-ip <contractor_network> "ANY"

    set vpn "to-contractor" proxy-id local-ip <production_network> remote-ip <contractor_network> "ANY"

     

    But the next configuration always overwrites the previous one.

     

    If I switch to policy-based VPN, the VPN tunnel just comes up fine.



  • 6.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party
    Best Answer

    Posted 03-25-2013 19:43

    Hi,

     

    if you are running 6.3, it has multiple proxy-id support for route based VPN.

    Please refer the below links:

    http://kb.juniper.net/KB15299

    http://kb.juniper.net/KB16008

     

    Thanks.

    Hardeep



  • 7.  RE: Policy configuration doubt between policy-based IPsec VPN and zones to 3rd party

    Posted 04-04-2013 11:57

    Thanks, Hardeep, this worked perfectly.